nccgroup / autorepeater Goto Github PK
View Code? Open in Web Editor NEWAutomated HTTP Request Repeating With Burp Suite
License: MIT License
Automated HTTP Request Repeating With Burp Suite
License: MIT License
Now that there's an AutoRepeater menu item I should move the import/export options to it to free up space within the AutoRepeater plugin UI.
I found two issues in requests with Content-Type: multipart/form-data
.
In order to better reproduce these issues, I'm sending this base request:
POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 177
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"
20F4C2E40C658A7CF60080C4342227DD
------WebKitFormBoundary0Bmuvd5DrV6Q690A
1 - If you select as a replacement rule the following configuration:
Type: Request Param Value
Match: 20F4C2E40C658A7CF60080C4342227DD
Replace: aaa
Which: Replace First
Regex Match: Disabled
and send the previous request to AutoRepeater, you will see this modified request:
POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 277
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"
20F4C2E40C658A7CF60080C4342227DD
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"
aaa
------WebKitFormBoundary0Bmuvd5DrV6Q690A
so instead of replacing the value in the parameter csrf_token
with aaa
, it is appending an additional parameter. Ideally, the expected request should be
POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 277
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"
aaa
------WebKitFormBoundary0Bmuvd5DrV6Q690A
2 - If the request includes the following parameter:
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="photo_file"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary0Bmuvd5DrV6Q690A
the request is not received correctly. For example:
POST / HTTP/1.1
Host: www.google.com
Connection: close
Content-Length: 277
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0Bmuvd5DrV6Q690A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="csrf_token"
20F4C2E40C658A7CF60080C4342227DD
------WebKitFormBoundary0Bmuvd5DrV6Q690A
Content-Disposition: form-data; name="photo_file"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary0Bmuvd5DrV6Q690A
will output this error:
java.lang.UnsupportedOperationException: Action is not supported for this parameter type
at burp.sve.a(Unknown Source)
at burp.sve.removeParameter(Unknown Source)
at burp.Replacement.updateBurpParamName(Replacement.java:148)
at burp.Replacement.updateRequestParamValue(Replacement.java:265)
at burp.Replacement.performReplacement(Replacement.java:331)
at burp.AutoRepeater.lambda$modifyAndSendRequestAndLog$21(AutoRepeater.java:1202)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
It would be useful to be able to perform replacements based on the response of a previous request to the domain. This would fix AutoRepeater not working for sites which rotate CSRF tokens on every request.
The export logic does not check to make sure the data written is valid CSV data.
Currently, AutoRepeater doesn't add the sent requests back to the Burp site map. There should be a toggleable option to enable this functionality in the AutoRepeater menu option.
Hi, first i wanna say congrats for that extension, very helpful!
I configured one tab to listen on proxy, and when navigate to same url he repeat everything again, do you have some way to prevent that? (just one request per URL)
Thx
They have to be pressed twice in order for the logs to correspond with the filters. Is this expected?
As per issue, if there is an easy way, it would be nice to auto-hide the settings pane as it takes up too much space on screen and if more info is added in the result columns, it will be even more.
It could auto-hide, and expand again only when tester moves their cursor over the right side area.
Replacements are currently limited to specific locations ("Request String", "Request Header", etc.). Another replacement type could be added to allow for searching the whole request for replacements, rather than just specific locations.
When using the "Request String" replacement, bytes which do not have a valid character mapped too them are replaced by the invalid character character which is then used as the byte value when the request body is transformed back into a byte[] to send.
First off, thanks for making and supporting this tool. It's pretty slick!
I'm currently testing a large multi-role application and it would be really helpful to be able to gain access to the same sort of right-click functionality available in HTTP history (send to, highlight, comment, etc.) in the AutoRepeater log.
They usage documentation is on the light side. There should be either some sort of video or better instructions for how to effectively use AutoRepeater.
Fellow NCCer here. I'm wondering if you have recommendations or plans for an import feature? My current engagement has 8 roles and I'd like to test them all at the same time with different tabs. However, when Burp inevitably dies, all the set up of those 8 tabs is lost. Any chance I can upload a JSON file that would configure my tabs? Thanks
Hello,
I Noticed that burp freezes for certain time(approx ~2min) on "Clear Logs" on latest clone.
Tested on Windows. with just 2
requests in AutoRepeater.
When I have an activated base replacement and only a disabled replacement exists, I end up sending two identical requests that reflect the effects of the base replacement.
The disabled replacement doesn't seem to be doing anything, but a request still seems to be fired because it's there.
It would be really nice if we could easily duplicate a log highlighter record.
I have some of them that come with like 4-5 conditions, and sometimes I need to create a similar highlighter with a small variation, so it would make it easier making new highlighters.
Thanks :)
It'd be great if there was an easy way to filter the results. For example, I don't particularly care if a style sheet is accessible to the world. Adding Proxy History-like filtering would be a beautiful thing.
There should be a "Replace Each" replacement mode which performs the replacement and sends the request for each instance of a match within a request. This would make is much easier to generate new requests with every string match, cookie, header, param, etc value changed one-at-a-time.
I'm using regex to match and replace values in POST request
the server is validating Content-Length: value
AutoRepeater is not adding this header.
I'm able to add Content-Length: header but i'm not sure how content-length value can be automatically updated in each request as the value is different for each request because of regex based mach and replace rule?
First, great tool! ✨
When i change the content-type from json to xml, the data passed does not change as it says in json. Is it a bug or intended use?
Pretty simple and straight forward feature request:
Add the ability to follow redirections within auto repeater. I'm thinking it would be useful to have a button similar to how repeater has a button to follow redirections for individual requests/responses, and have a checkbox to automatically follow redirection in the options section.
Find below two crude mockups of what I mean in case it isn't quite clear.
Per Request:
Options:
Current workaround: just send your modified request(s) to repeater and use the "Follow Redirection" button in repeater.
Cheers!
Can you please look into handling requests that time out?
This could be done in the same manner Burp's history time displays an empty response tab, and even be flagged. From my testing it seems to be a quite often thing due to WAFs etc.
Currently information about status codes and response lengths is shown. Timing information could also be useful when using AutoRepeater for certain types of testing (original response time, new response time, response time diff).
I use the newest build version, when select the url on the proxy list, and choose Send To AutoRepeater, AutoRepeater flash, but in the list in AutoRepeater tab doesn't show any request.
It would be nice if AutoRepeater could try to detect and extract any reflections, or even show a count of reflections in the same way that Flow does:
This maybe can be achieved by having the users define starting and ending points in the replacement payloads.
Of course this could lead to false positives or bugs due to length restrictions, server-side processing of the user input etc.
Firstly Thank you for the amazing tool, i have a question Please, Assuming i have to replace one Request Header Value, e.g CSRF Header, and Maybe two Cookies Value Request. , when i make the setting is autorepeater, it is actually replacing one at a time, which will not let me get desire result.
Am thinking of a situation where by when the Replacement setting are Set Autorepeater use those setting at once. what i have notice till now is that, Autorepeater usually Replaces CSRF Header Value , only in the First Request and in the Next "Modified Request" it return the Old CRSF Header that was with the original request again, and Replaces one of the Cookies Value, then next it will Replace, the last Cookie Value Set, and keep Original CSRF Header Value, so there will be no way all the Settings are Completely Replace at once ,or together at the same time , in the Modified Request. this make it difficult to get the actually desire result or to know if the test was successful. i don't know if am doing anything wrong. am waiting for your response.
Warm Regards
Dere sewa
Hi nccgroup,
I've tried your extension but it looks like the function does not work. i wonder if there is any requirement?
Thanks
Me again,
Looks like when I have a bunch of base replacements, but no regular replacements, AutoRepeater doesn't capture requests properly. I've attached two configuration files that show this:
The scenario I am trying to get working is have an individual tab for each user session. Each tab needed several base replacements so that I could modify their CSRF token in the header and the numerous cookies the application uses to identity the user.
After log filtering and log highlighting are implemented it would be useful to introduce the ability to set the default options for new tabs to allow users to specify options that are active by default for all new tabs i.e. all modified requests with a 200 status code are highlighted green in the logs.
I may take a swing at this if I am feeling ambitious, but it likely won't be in the next few months so opening an issue in case anyone else wants to.
When using AutoRepeater to hunt for vertical and horizontal privesc it would be really helpful to filter logs based on the response length difference. A response length difference of 0 is a strong indication that two different requests received identical responses and that a VPE/HPE bug may be present.
I suggest add "Regex Match" in “Conditions”、“Log Filter”、“Log Highlighte” Tab。
It would be useful to include an "Add Header" replacement.
Burp's tab highlight color is 0xff6633.
The BApp Store still has v1.0, which may be the cause of some of my other issues. Not sure how this update process works, but might be good to give it a boot.
I've noticed that when the Project Options > Sessions > Use cookies from Burp's cookie jar > Extender box is checked, AutoRepeater will not perform any replacements. This may just be how Burp works, but it took me a bit of digging to find the reason and for some of the operations (remove all cookies) was quite unexpected.
As following picture, when i used AutoPrepeater for a while, the Log Filter Frame maybe stuck and Freezes.
I just look some sites and loged about 100-150 items ……
and I used the lastest version AutoRepeater.jar .
Also lead to whole burpsuite stuck
here is configure:
[{
"isActivated": true,
"isWhitelistFilter": true,
"baseReplacements": [{
"type": "Request String",
"match": "a",
"replace": "b",
"comment": "",
"which": "Replace First",
"isRegexMatch": false,
"isEnabled": true
},
{
"type": "Request Header",
"match": "User-Agent:.*?",
"replace": "User-Agent: jalsdjfouaosdf",
"comment": "",
"which": "Replace First",
"isRegexMatch": true,
"isEnabled": true
}],
"replacements": [{
"type": "Request Header",
"match": "User-Agent:.*?",
"replace": "User-Agent: () {:;};ping -nc 1 test.me\"",
"comment": "",
"which": "Replace First",
"isRegexMatch": true,
"isEnabled": true
},
{
"type": "Request Header",
"match": "User-Aget:.*?",
"replace": "User-Agent: testss",
"comment": "",
"which": "Replace All",
"isRegexMatch": true,
"isEnabled": true
}],
"conditions": [{
"booleanOperator": "",
"matchType": "Sent From Tool",
"matchRelationship": "Burp",
"matchCondition": "",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "jpg",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "js",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "png",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "gif",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "css",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "jpeg",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": "svg",
"isEnabled": true
},
{
"booleanOperator": "And",
"matchType": "File Extension",
"matchRelationship": "Does Not Match",
"matchCondition": ".ico",
"isEnabled": true
}],
"filters": [{
"originalOrModified": "Original",
"booleanOperator": "",
"matchType": "Sent From Tool",
"matchRelationship": "Burp",
"matchCondition": "",
"isEnabled": true
}],
"highlighters": [],
"tabName": "1"
}]
I've run into a possible bug where base replacements aren't being consistently applied. I have a collection of "Match Cookie, Replace Value" rules and it appears that in many cases on the first matching cookie is replaced. Later in the session, all are. I can't figure out
There's useful information that could be displayed in the Log Viewer, but it would be too cramped if everything was added. There should be an option to enable/disable specific columns in the log viewer.
It will be great to have the "Time Requested" column to better analyze the requests.
I think it would be useful to have the option to filter the logs for a given tab. I don't think it'll be too hard to implement given the code for triggering replacements on conditions can likely be reused to filter the log viewer.
Considering that the project is really light on documentation, I think it would help if things were labelled more accurately. For example, even though there is a UI option to enable / disable Regex Matches, this does not work. So:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
in Request String would not show any hits whereas:
User\-Agent\: Mozilla\/5\.0 \(Macintosh; Intel Mac OS X 10_13_6\) AppleWebKit\/537\.36 \(KHTML, like Gecko\) Chrome\/80\.0\.3984\.0 Safari\/537\.36
would show hits, even though the Regex Match option was not selected
Can you upload this app to BurpSuite's store?
It would be really nice if there would be an option to create payloads that generate collaborator subdomains and track these interactions, and then report back to the Sitemap's issues.
May be it's just not too obvious for me to get the log filter working the way I wanted it to be. An option to turn off the filter is nice to have when we are trying to see if we have configured something wrong and want it to show everything.
When a request contains parameters that are not PARAM_URL, PARAM_BODY and PARAM_COOKIE the application cannot correctly replace them.
When testing multi-role applications, I need to make the same replacements in each repeater instance. It would save me a bunch of time if I could duplicate a tab and then simply update the values.
It would be helpful to be able to save and load a set of replacements from a config file that's independent of burp's state.
This would probably be useful for quite a few situations, but as an example, I'm currently using AutoRepeater to aid with SQLi testing, and each test I have to set up quite a few replacements manually. It would be much quicker to be able to load these in from a config file.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.